featured speaker: george spafford - isaca

1© 2009, Cognizant Technology Solutions. Confidential

Featured Speaker: George Spafford

© Copyright IT Process Institute

Written by:Gene Kim, Paul Love and George Spafford

Visible Ops Security guides information security professionals in strengthening relationships with IT operations and development groups to advance IT objectives and business goals. It addresses the people side of IT, empowering security to work with operations teams to achieve closely aligned objectives and with development and release teams to integrate security requirements into preproduction work.

© 2009, Cognizant Technology Solutions. All Rights Reserved.The information contained herein is subject to change without notice.

Visible Ops Security

George SpaffordPrincipal ConsultantCognizant


Agenda Background

Phases

» (1) Stabilize the Patient and Get Plugged Into Production

» (2) Find Business Risks and Fix Fragile Artifacts

» (3) Implement Development and Release Controls

» (4) Continual Improvement


Management mandate alone is not sustainable

-Only Nixon could go to China-The definition of insanityVisible Ops Security published March 2008

.

Copyright of IT Process Institute – http://www.itpi.org


Background

Information security is an organizational and national level issue

Many regulatory and contractual obligations

Expectations from shareholders and other stakeholders

Information security is nothing new

Information security must achieve objectives while helping other groups attain theirs

Operations and Information Security have history of being at odds

Integration is vital


Phase 1


Stabilize the Patient and Get Plugged Into Production

Gain Situational Awareness

Integrate into Change Management

Reduce and Control Access

Codify Information Security Incident Handling Procedures and Modify First Response


Step 1: Gain Situational Awareness

Find out what senior management and the business wants from information security

Find out how the business units are organized and operate

What are the IT process and technology landscapes?

Find the high-level risk indicators


Step 2: Integrate into Change Management

Get invited to Change Advisory Board meetings

Build and electrify the fence

» Being able to answer “what changed?” is critical!

» Ops and Information Security need the answer

» Authorized Person, Authorized Change

» Authorized Person, Unauthorized Change• Well intended, Erroneous or Malicious

» Unauthorized Person, Unauthorized Change

Ensure tone from top and define consequences

Substantiate that the electric fence is working

Look for red flags

Address failed changes


Step 3: Reduce and Control Access

Reduce unnecessary access

Establish an account management process

Eliminate ghost accounts

Re-accredit accounts routinely


Step 4: Codify Info Sec Incident Handling, Modify First Response

Use ITIL Incident Management to track

Many factors:

» Access controls are critical at the record and field level for security

» Need multiple models to handle different types of security incidents

» Incident Management will likely hand off to security incident handling / security operations

(1) Define when and how to engage information security

(2) Confirm scope of detective change controls

(3) Formalize information security incident response


Phase 2


Find Business Risks and Fix Fragile Artifacts

Setting the stage

Guide to the Assessment of IT General Controls based on Risk (GAIT-R)

» Establish Our Business Process Worry List

» Work the List, Zoom Out to Rule Out

» Find and Fix IT Control Issues

» Streamline IT Controls and Regulatory Compliance


Setting the stage

Cannot and must not protect everything equally

80/20 rule will apply

Bottom-up Approach

Top Down Risk Based Approach

Understanding reliance on critical controls is vital

» Reliance is placed when a control provides Critical Functionality to detect or prevent errors

Sarbanes-Oxley Year One was disastrous

» $3 billion spent remediating deficiencies that didn’t matter in Year One

Enter the Institute of Internal Auditors and GAIT


Guide to Assessment of IT General Controls based on Risk (GAIT-R)

(1) The failure of technology is only a risk that needs to be assessed, managed, and audited if it represents a risk to the business

(2) Key controls identified as result of top-down assessment of business risk, risk tolerance, and controls required to manage/mitigate business risk (controls include automated and general IT)

(3) Business risks are mitigated by combination of manual and automated key controls

» To assess system of internal control to manage/mitigate business risks, key automated controls need to be assessed


Guide to Assessment of IT General Controls based on Risk (GAIT-R)

(4) IT general controls may be relied upon to provide assurance of the continued and proper operation of automated key controls (e.g., change management, access information security, and operations29)

» (4a) IT general control process risks that need to be identified: those that affect critical IT functionality in significant applications and related data

» (4b) IT general control process risks that need to be identified exist in processes and at various IT layers: application program code, databases, operating systems, and network

» (4c) Risks in IT general control processes are mitigated by achievement of IT control objectives, not individual controls


Step 1: Establish Business Process Worry List

(1) Cover periphery by considering externally facing systems

(2) Discover and understand externally facing IT systems

» Enterprise Application Integration (EAI) tools

» File transfer services

» Vendor Portals

(3) Verify our Business Process Worry List

» Developed on Phase one but not verified

» Validate with internal audit, business continuity, finance, accounting, etc


Step 2: Work the List, Zoom Out to Rule Out

(1) Get help to zoom out to rule out

» What can we rule out of scope using GAIT-R?

» We must focus on what matters

(2) Get confirmation of business process significance and complexity

(3) Get documentation on where reliance on critical IT functionality is placed in the business process

(4) Zoom in for a better view

» Dig into basic details of the services and supporting systems in scope

• Business process being supported, control objectives, applicable regulations, where critical data is stored


Step 3: Find and Fix IT Control Issues

(1) Prepare key IT general control processes

» Review each CI against the relevant ITGC processes and look for gaps

» Management picked the key controls to mitigate the risks that concerned them the most <- this is key

» Greatly focuses efforts

(2) Initiate corrective actions

Step 4: Streamline IT Controls and Regulatory Compliance

Control Regulation 1 Regulation 2 Regulation 3

AI6.1 Change Standards and

ProceduresSpecific Needs Specific Needs

Activity that will meet the needs of all regulations

Next Control Specific Needs Specific NeedsActivity that will meet the

needs of all regulations

20

(1) Establishing the high-water mark

(2) Document the IT controls and their monitoring


Phase 3


Implement Development and Release Controls

Integrate with Internal Audit

Integrate into Project Management

Integrate into the Development Life Cycle

Integrate into Release Management


Step 1: Integrate with Internal Audit

Formalize the relationship with [internal] audit

Demonstrate value

» Provide domain relevant expertise

» Educate audit staff – even if information security must fund training

» Share information security organizational information, policies and standards

» Ensure adherence to daily operational procedures – let audit know what to consider inserting into audit plans

• Prevent organization from sliding backwards by keeping audit informed


Step 2: Integrate into Project Management

Participate in PMO approval meetings

» Project review, filtering and prioritization

Determine information security relevance

Integrate into project review and approval

» Update project templates to include info sec risks

» Aim to improve quality of decision-making: not obtain veto power

» Involved with control/phase gate meetings

Leverage detective controls in change management

» Determine when project management is being bypassed

Link to detective controls in purchasing and accounting


Step 3: Integrate into Development Lifecycle

Advocate the Service Development Life Cycle perspective – not just software

Investments here pay off in the future!

(1) Begin a dialog with development

(2) Establish requirements definition and secure coding practices

(3) Establish secure testing practices


Step 4: Integrate into Release Management

Strive to reduce variation in production

Easier to sustainably support and secure standardized builds vs. snowflakes

» (1) Formalize the relationship with Release Management

» (2) Ensure standards for secure builds• Configuration settings, approved libraries, etc.

» (3) Integrate with release testing protocols

» (4) Integrate into production acceptance• Production acceptance checklists and contracts require information

security approval before production release

» (5) Ensure adherence to release implementation instructions

» (6) Ensure production matches known and trusted states


Phase 4


Continual Improvement

Implement an Information Security Oversight Committee (ISOC)

» Review metrics

» Help with direction

Metrics drive behavior

Absolute numbers vs. Percentages

» 100% of 1 vs. 100% of 100,000 (can be a big difference)

High-level integration measures

» Customer satisfaction

» % of target operational process integration

» Number of challenged integrations

» % of codified process integrations


“Not everything that counts can be counted and not everything that can be counted counts."

Sign hanging in Albert Einstein's office at Princeton


Thank you

George Spafford(269) 556-9597

[email protected]

featured speaker: george spafford - isaca

Documents